Did Guccifer 2 Plant his Russian Fingerprints?

This report investigates in detail various aspects of the first five Word documents (1.doc, 2.doc, … 5.doc) that Guccifer 2 published on his WordPress.com blog site. It was widely reported that the first document, 1.doc, displayed “Russian fingerprints” (Russian error messages written in Cyrillic letters). In this report we describe how those “Russian fingerprints” became embedded inside 1.doc.

The sequence of circumstances that created these “Russian fingerprints” is sufficiently complex and unusual to raise the question: Did Guccifer 2 plant those “Russian fingerprints” intentionally?

Comments will be accepted here for the next couple of weeks. Off-topic or off-color comments will be silently filtered and ignored.

Post navigation

10 thoughts on “Did Guccifer 2 Plant his Russian Fingerprints?”

We now have evidence to suggest:
1) Guccifer 2.0 was operating in an American time zone.
2) Guccifer 2.0 documents were obtained from a leak rather than a hack.
3) Many of the “clues” that indicated Guccifer 2.0 was a Russian hacker were carefully constructed.

It’s no longer a stretch to conclude that Guccifer 2.0 was an operation designed to implicate Wikileaks as a Russian stooge and (likely) to take attention away from the content of the released emails. The question, then, remains as to who conducted this operation.

Just to be clear, are you suggesting that G2 intentionally implanted a” Russian fingerprint” into 1.doc in order for the the DNC to be able to claim Russia hacked the emails?
I read the whole thing waiting to get the gist of what all that implies. Maybe I need more coffee but I remain uncertain as to what this is ultimately suggesting.

Are you suggesting that G2 intentionally implanted a” Russian fingerprint” into 1.doc in order for the the DNC to be able to claim Russia hacked the emails?

We do not know who G2 is, nor his intent. The prevailing narrative has been that G2 left behind the “Russian fingerprints” because he was careless and in a hurry to respond to the DNC’s announcement the previous day. No one took a look at what it takes to create those Russian fingerprints (Cyrillic error messages). This report/analysis does that. It is a very long chain of unconventional actions. The reader will have to decide whether G2 was in a hurry/not and whether he was deliberate in constructing those Russian fingerprints/not.

I’ll just go ahead and say it, your analysis strongly suggests that G2 had an intent to deceive. It would be interesting to see if someone can reproduce the fingerprints “accidentally,” in line with the standard narrative.

Since then I’ve realised that these timestamps are (extremely likely) intentional. On boot if you change the clock settings to Moscow / Romania time then repeat the steps you so brilliantly outlined, then you’d get a document with a GMT+3 timestamp. I believe *this* is the reason why they went to such trouble to go to these steps.

It should be noted that Cyber Berkut also alter documents in this way. I strongly suspect that G2’s first documents were altered to *appear* like Cyber Berkut documents. If I’m right then we need to look at Biden’s meeting on the same day with the pro-EU Ukrainians and Chalery, Nuland and Chalupa.

Feel free to “fail” me if I am off base but “Guccifer 2” had Democratic party documents before Wikileaks released these as attachments to the “Podesta” Wikileaks email release?

Does this mean G2 is likely the hacker of Podesta’s emails? Or a party insider with access to the same docs Podesta would likely read?

Did G2 get overly excited about the CS-DNC “hack” announcement and assumed it was about his or her doings with Podesta? Is that why G2 rushed the June 15 modifications? Is that why G2 could not prove their hacking skills–they did not go beyond security password guessing or phishing? Were the Russian Fingerprints to hide G2’s origin…or just playfully malicious?

“Guccifer 2” had Democratic party documents before Wikileaks released these as attachments to the “Podesta” Wikileaks email release?

Per media reports, the first DNC emails were disclosed by WL on July 22, 2016. Therefore, we could only say with some certainty that G2 may have had access to DNC documents prior to their release only if the documents were released on G2’s web site or to third parties (who made them public) before then.

There were three batches of G2 documents before 7/22: 6/15, 6/18, and 7/6. The 7/6 batch had 9 documents, all can be traced to DNC email attachments. No other batches (before/after 7/22) can be traced to the DNC emails. Note: matching documents by name is an approximate process and not all of G2’s documents could be traced to a source (Podesta emails, DNC emails, ngpvan.7z, cf.7z). G2 modified the metadata on most of the docs in those first 3 drops, mentioned above – therefore exact match is impossible.

Does this mean G2 is likely the hacker of Podesta’s emails? Or a party insider with access to the same docs Podesta would likely read?

We don’t have the info. to make that determination. Possession of documents that can be traced to the Podesta emails, doesn’t confirm that those emails were the actual source. Even if we could determine that the Podesta emails are the actual source, we have no way (using public sources) of linking G2 as the perp who took them.

Did G2 get overly excited about the CS-DNC “hack” announcement and assumed it was about his or her doings with Podesta? Is that why G2 rushed the June 15 modifications? Is that why G2 could not prove their hacking skills–they did not go beyond security password guessing or phishing? Were the Russian Fingerprints to hide G2’s origin…or just playfully malicious?

With only G2’s boasting and his document dumps to go on, we have no proof that he did any hacking, much less do we know how the hacking was done.

Why do you say “G2 *rushed* the June 15 modifications”? In our article, we show that the path to disclosing “Russian fingerprints” looks to be long, complex, and deliberate. Putting aside motivation/intent, just walking through those steps would take significant time. On G2’s first day, he had to doctor up 5 Word documents, 5 spreadsheets, communicate with two media outlets (TSG and Gawker), *and* create a blog site. G2 may have been in a hurry, but overall he seems quite organized and deliberate.

There is an alternative scenario, where G2 contacted the media outlets prior to the DNC going public. The media outlets may have tipped off the DNC and then delayed release of their articles until after the DNC got their announcement out via WaPo and Crowdstrike. It may have been the DNC that was playing defense. We just don’t know.